Secure universal two-step payment authorization system

ABSTRACT

A system and methods expedite and make secure payment data entry, and payment and authorization and authorization, for both in-store and online purchases. A mobile app, or widget or browser extension or installed service, on a mobile communication device, generates a barcode to be scanned at a point-of-sale terminal. Optional confirmation is sent to an app, or browser extension or widget or installed service, on a mobile or fixed communication device, to confirm a purchase. An independent app, or browser extension or widget or installed service, on a mobile or fixed communication device, generates a barcode that is sent directly to an online point-of-sale system. The method allows a purchaser to use the same app, or widget or browser extension or installed service, to purchase from any retailer with installed collaborating software.

CROSS REFERENCES TO RELATED APPLICATIONS

The present application claims priority to U.S. Provisional Patent Application No. 61/820,340 filed on May 7, 2013, which is hereby incorporated by reference in its entirety. The present application is also a continuation of U.S. patent application Ser. No. 14/271,835, entitled “Secure Universal Two-Step Payment Authorization System,” filed on May 7, 2014.

FIELD OF THE INVENTION

The present invention relates in general, to authentication and authorization for electronic payment, and particularly, to methods for completing purchase transactions through a mobile or fixed communication device.

BACKGROUND OF THE INVENTION

The proliferation of smartphones and tablet computers has brought electronic commerce into the next level—mobile commerce. A main driver for new devices and new applications (apps) is convenience. Automation or the ease of replacing a complicated task with a simplified alternative for the human user has been the impetus for numerous innovations. This trend is demonstrated in Apple's devices such as iPhones and MacBook computers.

A purpose of the current invention is to speed up and make secure 2 types of purchase made via electronic payment. The first type is purchases made in a retail store; the second type is online purchases via an Internet-connected computer. For both types of purchase, there are 2 essential steps: (1) entry of payment card (credit card, debit card, prepaid card, etc.) data, (2) authentication and authorization for the use of a payment card. For in-store purchases, data entry is commonly accomplished by swiping a plastic payment card; for online purchases, data entry is often accomplished by manual input. For both types of purchase, it is possible to add an optional confirmation.

In the rest of this specification, the first step is referred to as PDE (payment data entry); the second step is referred to as AA (authentication and authorization); the third and optional step is referred to as confirmation.

In a typical in-store purchase, PDE and AA take place at a POS (point-of-sale) counter with the assistance of a POS operator or a sales agent. After PDE (swiping the plastic card, for example), the POS system contacts a payment system operator to request payment AA.

For a purchaser with a mobile communication device installed with a special app, the 2-step task is simplified to “scan and approve.” For example, Starbucks provides the “My cards” app to expedite data entry. In a store, a sales agent scans the barcode generated by an app on a mobile device. The scan result is then relayed to the POS system to complete payment AA. Such a solution is referred to as a barcode solution in this specification.

The barcode solution speeds up PDE and adds security to a transaction because a purchaser does not have to remove a payment card from his purse. The barcode solution is attractive because barcodes are well understood and have been adopted around the world.

However, there are a number of issues that hinders large-scale adoption of the barcode solution. First, such apps are only available from a few retailers. Second, the stores must be equipped to perform scanning functions. The retailers often attach their apps to a rewards program to drive customer retention. Often, a customer has to register and administer his account for each retailer. As the number of these apps increases, it becomes a burden for users to keep track of the apps and the associated accounts.

An alternative to the barcode solution is the wireless solution in which a mobile communication device sends payment data wirelessly to a POS system. In the wireless solution, data exchange takes place between a mobile communication device and a POS system over a short distance. For this solution, a retailer has to upgrade its POS system to enable wireless data exchange.

Consider the scenario that a purchaser is standing in line waiting for check out. While waiting is undesirable, a purchaser may not want to speed up the payment process. For one thing, he may still change his mind about the purchase before the actual check out. Once at the check out counter, the purchaser is no longer interested in a wireless solution because a barcode scanner is readily available at the counter. Finally, a potential problem is that the wireless solution exposes private data to wireless security threats.

Among the wireless solutions, the use of NFC (near-field communication) seems attractive. However, the practical distance for today's NFC technologies is between 5 cm to 20 cm. At such distance, a purchaser is very close to a POS terminal—the barcode solution is readily available and cheaper. Further, NFC is susceptible to security threats; it is easy to sniff NFC radio signals with today's technology.

NFC-based solutions are attractive in a crowded arena—for example, automatic ticketing in a sports arena, theater, amusement park, or public transportation vehicle. These solutions require both a mobile device and a POS terminal to be NFC capable, a requirement that may not be satisfied for many consumers and retailers.

Barcode solutions are the cheapest, requiring the least amount of investment for both retailers and consumers. As barcode scanners have been universally adopted, the price of a barcode scanner is low. For most retailers, the added hardware cost is zero.

The barcode solution allows for easy adoption, as it is a software-only solution. The POS system must be installed with payment software. For consumers, a special app, or widget or browser extension or installed service, for a mobile or fixed device is available for free. An added advantage of this approach is that it is unlikely for barcode scanners to be replaced by alternate equipment anytime soon.

BRIEF SUMMARY OF THE INVENTION

It is an object of the present invention to provide a system and method, called USA (universal secure authentication), to expedite and make secure PDE, AA, and optional confirmation, for both in-store and online purchases.

A USA app, or widget or browser extension or installed service, on a mobile or fixed communication device, is employed as an interface between a purchaser and the POS system of a merchant. A USA app, or widget or browser extension or installed service, is supported by a USA server system to complete the tasks associated with the present invention. An operator of a USA server system is called a USA service provider. A retailer with collaborating software installed on its POS system that enables communication between the retailer's POS system and a USA server system is called a collaborating retailer.

The USA system is not restricted to enabling purchases from a designated retailer—instead, the USA system enables purchases from any retailers that have collaborating software installed on their POS systems.

In a retail store, a USA app, or widget or browser extension or installed service, on a mobile communication device, generates a barcode to uniquely identify a payment card selected by a purchaser; a retailer's POS operator scans the barcode with a barcode scanner. The retailer's POS system uses the barcode scan image to identify a payment card for payment AA.

For an online purchase, a USA app or widget or browser extension or installed service, on a mobile or fixed communication device, generates a barcode to uniquely identify a payment card selected by a purchaser. The barcode is sent to the POS system of an online retailer to complete payment AA.

Optionally, a retailer does not store payment card data in its POS system, the barcode scan image is directly sent to a payment system operator for payment AA.

There are 2 options for performing payment AA. In the first option, the POS system of a retailer makes payment AA request to a payment system operator; in the second option, a USA server system makes payment AA request directly to a payment system operator.

There are 2 options for sending payment card data to a payment system operator. In the first option, the normal payment card data (such as payment card type, payment card account number, payment card name, etc.) is sent to a payment system operator. In the second option, only a barcode is sent to a payment system operator.

Optionally, before a payment system operator is contacted for payment AA, a USA server system sends a request message “confirm-to-purchase” to the purchaser of an in-store or online purchase, through a USA app, or widget or browser extension or installed service, on a mobile or fixed communication device. The purchaser has to reply with a message confirming or cancelling the purchase back to the USA server system.

Optionally, a USA app or a USA server system requires the use of a purchaser's biometric data on a mobile or fixed communication device or a wearable device to complete payment AA.

Optionally, a USA server system operator is a payment system operator or an agent of a payment system operator.

BRIEF DESCRIPTION OF THE DRAWINGS

The above and other objects and features in accordance with the present invention will become apparent from the following descriptions of embodiments in conjunction with the accompanying drawings, and in which:

FIG. 1 is a flowchart illustrating the actions and data flow in an in-store purchase with a mobile communication device.

FIG. 2 is a flowchart illustrating the actions and data flow in an online purchase with a laptop computer and a mobile communication device.

FIG. 3 depicts the steps of a USA app installed on a mobile communication device to complete an in-store purchase.

FIG. 4 depicts the steps of a USA app installed on a laptop computer to complete an online purchase.

DETAILED DESCRIPTION OF EXEMPLARY EMBODIMENTS

The present invention is a system and method referred to as a USA (universal secure authentication) service. A USA service is a modified barcode solution to expedite and make secure PDE, AA, and optional confirmation, for both in-store and online purchases. An operator that provides a USA service is said to be a USA service provider. A USA service provider is supported by a USA server system. A retailer is said to be a collaborating retailer if its POS system is installed with USA software that allows communication between a USA server system and its POS system to perform the work of a USA service.

The system and method is “universal” in that a purchaser is able to use a USA service to make purchases from any collaborating retailers (online or in-store) with any payment card. It is secure as it allows an optional confirmation to complete payment AA.

A USA service makes the selection of a payment method easy—a purchaser does not have to remove a payment card from his purse. A USA service allows a purchaser to avoid manual data entry for a payment card—for in-store purchases, card swiping is avoided; for online purchases, manual data entry is avoided. This provision makes the PDE process easy and more fault-tolerant. As a result, the PDE process is accelerated.

A purpose of the present invention is to make all communication of payment card data secure and in compliance with PCI DSS (payment card industry data security standard). According to one aspect of the present invention, it is unnecessary for a collaborating retailer or a USA service provider to store payment card data. For each purchase, the payment card data is communicated to the POS system of a retailer in the form of a barcode. This barcode may be sent directly to a payment system operator for AA. Therefore, even if the POS system of a retailer or a USA server system is hacked, only the barcodes stored in either system will be lost to the hack.

Optionally, a barcode generated by a USA service is a UUID code (universally unique identifier) based on a payment card selected by a purchaser. Optionally, a USA service generates a UUID by encoding the payment card data with a onetime pad (or encryption key)—this will make the encrypted barcode perfectly secret. The onetime decryption key for each payment card may be stored at 3 possible places: the POS system of a collaborating retailer, a USA server system, or the server system of a payment system operator.

Hereafter, a mobile communication device is a handheld computing-communication device that connects to the Internet wirelessly. A fixed communication device is a computing-communication device that connects to the Internet through a fixed line. A wearable device is a consumer item that can be worn and is equipped with computing and communication technology. Examples of a wearable device include Apple's iWatch and the Google glass.

Hereafter, a payment card system is meant to be an electronic payment system with or without a payment card, plastic or non-plastic. Such a system could be credit-based or debit-based, or a combination of both.

A transaction-acquiring financial institution or processor (the “acquirer”) is a payment system operator that executes payment AA. An “acquirer” either approves a transaction or routes a transaction to a payment-card account issuer (the “issuer”) for further approval or denial of the transaction. Hereafter, a payment system operator is meant to be a transaction acquirer, an issuer, or any financial institutions that approves and executes electronic payment.

In accordance with one aspect the current invention, a USA system or service comprises 2 necessary components: (1) a USA app, or widget or browser extension or installed service, which is responsible for PDE, and (2) a USA server system, which is responsible for AA-C (authentication-authorization with confirmation).

A USA system or service is not restricted to work with a designated retailer with a designated set of payment systems. Any retailer (in-store or online) can work with a USA service provider by installing USA software on its POS system and become a collaborating retailer of the USA service.

In a USA service or system, a mobile or fixed communication device is installed with a USA app, or widget, or browser extension, or installed service. The USA app, or widget or browser extension or installed service, generates a special barcode for each payment card selected by a user.

A USA server system may make payment-AA request directly to a payment system operator to obtain a payment approval or denial code. Once the USA server system receives an approval or denial code, it relays the code to the POS system that is working on the current purchase. Otherwise, the POS system of a retailer makes payment-AA request directly to a payment system operator.

For an in-store purchase, a sales agent scans the barcode generated by a USA app, or widget or browser extension or installed service, on a mobile communication device held by a purchaser. For an online purchase, a USA app, or widget or browser extension or installed service, generates a barcode, which is either copied-and-pasted onto a web page, or is sent directly to the POS system of the online retailer.

For both in-store and online purchases, the POS system recognizes the barcode and associates the barcode with a payment card of the purchaser. The POS system may send the associated payment card data along with the transaction details (the purchase description, the purchase amount, etc.) to a USA server system. For each payment card, its detailed data (payment card account number, expiration date, security code, etc.) may be stored in the POS system of a collaborating retailer, or a USA server system, or both.

Optionally, a barcode generated by a USA system is an encoded UUID (universally unique identifier). UUID is an identifier standard used in software construction, standardized by the Open Software Foundation. Optionally, after a barcode is scanned, a POS system uses the decoded UUID as the key to retrieve the stored payment card data for the purchase, if the POS system stores such data. The POS system may also send the decoded UUID to a USA server system. At a USA server system, a decoded UUID may be used as the key to retrieve the stored payment card data for the purchase.

According to one aspect of the present invention, the POS system of a collaborating retailer may not store payment card data for each purchase in an explicit form; in addition, the server system of a USA service may not store the payment card data for each purchase in an explicit form. The POS system of a collaborating retailer may store payment card data for each purchase only in the form of a barcode; similarly, the server system of a USA service may store the payment card data for each purchase in the form of a barcode. Each barcodes so stored may be encrypted with a onetime pad (encryption key).

Optionally, a USA app, or widget or browser extension or installed service, on a fixed or mobile communication device, requires a PIN (personal identification number) or PIC (personal identification code) or biometric data from a purchaser for high-value purchases over a fixed dollar amount. The threshold may be zero—in this case, a PIN or PIC is needed for each purchase. The optional requirement may be triggered by a POS system, a USA app, or widget or browser extension or installed service, or a USA server system.

Optionally, before a payment system operator is contacted for payment AA, a USA server system sends a request message “confirm-to-purchase” to the purchaser, through a USA app, or widget or browser extension or installed service, on a mobile or fixed communication device used by the purchaser. The USA app, or widget or browser extension or installed service, prompts the purchaser to confirm or cancel the purchase with a simple input. The USA app, or widget or browser extension or installed service, then sends a reply message, confirming or cancelling the purchase, back to the USA server system.

Optionally, a barcode generated by the USA system is an encrypted code using an encryption key. The decryption keys may be stored at a USA server system, or the POS system of a collaborating retailer, or a server system of a payment system operator. Optionally, an encryption key and its decryption key are for one-time use—a new set of keys is generated for each transaction.

Optionally, a USA service user is given a user account in a USA server system. After a payment system operator approves a purchase, the USA server system stores the new purchase details in the user's account. This action enables value-added services through the USA server system to the USA customer. For example, e-reward, e-coupon, expense handling, and transaction reporting can be part of the value-added services.

Optionally, a USA system is configured to provide repeat-purchase (such as monthly or quarterly repurchase) or installment payments to merchants.

FIG. 1 shows a flowchart of actions and data in a USA system for an in-store purchase. In step 201, the purchaser 200 launches a USA app on his mobile communication device, and the USA app generates a barcode. In step 101, the POS operator 100 scans the barcode, and the POS system 100 sends the purchase details with payment data to a USA server system 300. In step 301, the USA server system 300 sends a confirmation request to the purchaser through the USA app on his mobile device. In step 202, the purchaser 200 confirms or cancels the purchase, and the USA app sends a message to the USA server system 300 confirming or canceling the purchase. In step 302, the USA server system 300 sends a message confirming or canceling the purchase to the POS system 100, and optionally contacts a payment operator 400 for payment AA. In step 102, having received a confirmed message from the USA server system 300, the POS system 100 optionally contacts a payment system operator 400 for payment AA.

If the purchase amount is greater than a threshold, in step 301, the USA server system request optional biometric data from the purchaser to confirm the purchase.

FIG. 2 shows a flowchart of actions and data in a USA system for an online purchase. In step 201, the purchaser 200 launches a USA app on his laptop computer, and the USA app generates a barcode and sends the barcode to the online POS system 100. Also in step 201, the USA app connects to a USA server system 300. In step 101, the POS system 100 sends purchase details with payment data to a USA server system 300. In step 301, the USA server system 300 connects to the USA app and the POS system 100. Also in step 301, the USA server system 300 sends a confirmation request to the purchaser through the USA app on his mobile or fixed device. In step 202, the purchaser 200 confirms or cancels the purchase. Also in step 202, the USA app sends a message to the USA server system 300 confirming or canceling the purchase. In step 302, the USA server system 300 sends a message confirming or cancelling the purchase to the POS system 100, and optionally contacts a payment operator 400 for payment AA. In step 102, having received a confirmed message from the USA server system 300, the POS system 100 optionally contacts a payment system operator 400 for payment AA.

FIG. 3 shows the steps for a USA app 200 to complete in a mobile communication device for an in-store purchase. In step 201, the user chooses a payment card. If the user does not specify a specific card, the USA app 200 chooses a default payment card. In step 201, optionally, the USA app 200 requests a PIC or PIN to be entered by the purchaser. In step 202, the USA app 200 generates a barcode to be scanned. In step 203, the USA app 200 on the mobile device may prompt the user to confirm the purchase. In step 204, the USA app 200 may prompts the user to confirm the purchase by biometric data. In step 205, a confirmation message is sent back to the USA server system.

FIG. 4 shows the steps for a USA app 200 in a laptop computer to complete an online purchase. In step 201, the USA app 200 establishes a connection with an online POS system. Also in step 201, if the user does not specify a specific card, the USA app 200 chooses a default payment card. In step 201, optionally, the USA app 200 requests a PIC or PIN to be entered by the purchaser. In step 202, given the chosen payment card, the USA app 200 generates a barcode. At step 203, the barcode is sent to the POS system of the online retailer. In step 204, the USA app 200 may prompt the user to confirm the purchase. In step 205, the USA app 200 may prompt the user to confirm the purchase by biometric data. In step 206, the USA app 200 sends the confirmation message back to the USA server system. 

1.-20. (canceled)
 21. A financial institution subsystem in communication with a commercial entity subsystem, the financial institution subsystem comprising: at least one processor component; at least one memory component; and at least one communications component, wherein the financial institution subsystem is configured to: receive from the commercial entity subsystem a request for payment authorization, the request containing at least an encrypted digital representation of a commerce credential for the requested payment transaction, the commerce credential containing no payment credentials usable in any other future transactions; after the receiving, retrieve a payment credential from the memory component using the encrypted digital representation received from the commercial entity subsystem; after the retrieving, process the requested payment authorization; and after the processing, send an approval-or-denial reply regarding the payment authorization request to the commercial entity subsystem.
 22. The financial institution subsystem of claim 21, wherein the financial institution subsystem is further configured to communicate with a merchant subsystem, and sends also the approval-or-denial reply to the merchant subsystem, after processing the requested payment authorization.
 23. A financial institution subsystem in communication with a commercial entity subsystem, the financial institution subsystem comprising: at least one processor component; at least one memory component; and at least one communications component, wherein the financial institution subsystem is configured to: receive from the commercial entity subsystem a request for payment authorization, the request containing at least an encrypted digital representation of a commerce credential for the requested payment transaction, the commerce credential containing no payment credentials usable in any other future transactions; after the receiving, recover a payment credential from the encrypted digital representation received from the commercial entity subsystem; after the retrieval, process the requested payment authorization; and after the processing, send an approval-or-denial reply regarding the payment authorization request to the commercial entity subsystem.
 24. The financial institution subsystem of claim 23, wherein the financial institution subsystem is further configured to communicate with a merchant subsystem, and sends also the approval-or-denial reply to the merchant subsystem, after processing the requested payment authorization.
 25. A method comprising: receiving at a financial institution subsystem a request for payment authorization, the request containing at least an encrypted digital representation of a commerce credential for the requested payment transaction, the commerce credential containing no payment credentials usable in any other future transactions; after the receiving, retrieving a payment credential at financial institution subsystem using the encrypted digital representation received from the commercial entity subsystem; after the retrieving, processing the requested payment authorization at the financial institution subsystem; and after the processing, sending an approval-or-denial reply regarding the payment authorization request from the financial institution subsystem to the commercial entity subsystem.
 26. The method of claim 25, further comprising: the financial institution subsystem sending the approval-or-denial reply also to a merchant subsystem, after processing the requested payment authorization. 